There is a lot to do when you start a new project. But one thing that can have a big effect on your ultimate success is how you approach risk management. So, we asked risk management expert, Keith Baxter, to offer his advice on a successful risk management kick-off.
Keith is the founder of De-RISK and the developer of the ABCD risk management process. It takes a robust approach to strategic project risk management. He has tremendous experience of coaching clients through the whole risk management process, from the first Risk Management kick-off, through to close-out.
For his article, he takes the example of a larger-scale project. For your own risk management kick-off, you may want to scale his advice to your needs. Some of these steps may take one week (or more). But, on a small project, they would take days or less. And some steps could even be skipped.
Small or Large Projects
Keith and I share the perception that projects with fewer than 10 to 12 stakeholders are small projects. Much of Keith’s process is optimised for projects with maybe 50 or more stakeholders. So, If you have, say, 20 to 30 people on your project, you may want to adapt some of these ideas.
Risks and Assumptions
Risks and assumptions are two sides of the same coin. Every plan is based on a few facts and a lot of assumptions. And every assumption could be wrong.
The nature of a risk is uncertainty. And that is the nature of an assumption too: it may or may not turn out to be correct. So, each assumption carries with it a matching risk: that the assumption is false.
An important element of Keith’s approach to managing risk is to focus on the underlying assumptions in your plan and hence get directly to the root-cause of the associated risks.
So, let’s dive into the task of kicking-off risk management on your project, and hand over to Keith.
The Risk Management Challenge
Before we start, you may be wondering: ‘What is Risk Management?’
Starting any new project role can be daunting. But in risk management especially, it is crucial to hit the ground running. An effective risk management leader must:
- take control quickly
- seek to understand the key facts
- build relationships as soon as possible
- establish team processes for risk monitoring and control
You may also like our article: ‘How Project Risk Management will Make You a Better PM‘.
Risk Management Kick-off: How You Start is Crucial
Often in professional life, how you start is crucial. And project management is no different. Perhaps it’s especially so with Risk Management. So, I have thought carefully about how a Project Manager should carry out a Risk Management Kick-off at the start of a new project or programme.
This is the approach a risk management professional would take. You may want to adapt this for the opening weeks of your own project.
In this model, I’ve laid out each of the first ten steps:
- Get to know your stakeholders
- Decide on your process
- Choose and implement your risk management toolset
- Start risk identification
- Set up and run your first Risk Review Board
- Coach for risk action planning
- Begin a second round of risk identification
- Run a second risk review board
- Develop a long-term plan
Step 1: Get to Know Your Stakeholders
Your stakeholders are crucial to the success of your project in general, and to the effectiveness of your risk management in particular. So, start your risk management kick-off with them. Identify who they are and start to get to know them.
Set up meetings, and use this time to get to know your stakeholders both formally and informally. Focus on those with the greatest power or influence over your project. Think about how you can win over any influential people who may oppose or contradict your ideas.
It is best to establish face-to-face discussions when possible. If other project managers who have worked with these stakeholders are available, take the time to learn from their successes and failures. Expand this activity to your entire team, as much as possible.
And make sure to validate any significant views with your sponsor and other senior management, so you can separate any ‘grumbles’ from genuine concerns. Be open and bold – it’s okay to make some mistakes early on in this ‘honeymoon’ phase of your project.
Step 2: Decide on Your Process
Once formal communication lines are up and running, it is time to act. If you already know your preferred risk management process and toolset, it is time to familiarise the rest of the team. Make this as much fun as possible. You may want to build your risk management kick-off briefing into your wider project kick-off meeting. But, allow enough time to ensure that your team can see risk management as a crucial part of your project management approach.
Maybe you are starting with a ‘blank sheet’. In this case, consider using a proven and highly effective assumption-based process such as ABCD Risk Management.
[thrive_text_block color=”note” headline=”ABCD Risk Management”]
Assumption Based Communication Dynamics (ABCD) is highly effective risk management process. It is the methodology that De-RISK uses with its clients, but is suitable for project managers to adapt as a part of your own toolset.
ABCD captures the collective knowledge and viewpoints from stakeholders on the project. By dramatically improving the communication of key assumptions, you can avoid risks, manage them proactively, and so deliver project objectives on time.
De-RISK ABCD works far more effectively than traditional risk management processes,
- Compels people to look to the future (their assumptions) and therefore ensures true risk management
- Captures specific root-causes of risks (the assumptions) that gives pin-point fixes
- Uses meaningful analysis that provides true insight and accurate prioritisation
- Provides clear prioritisation and escalation from project through programs to enterprise level portfolios
- Ensures follow-through on actions via simple but effective roles and governance structures
At the most basic level, ABCD works because it is an intuitive process. It takes a prioritization than a negative view of the enterprise. It asks: ‘what do you need, to achieve your objectives? (that is, your assumptions), rather than: ‘what might go wrong? (your risks).
At the core of ABCD is Assumption Analysis. This uses structured techniques to analyze project plans and identify the most sensitive assumptions. These are potentially unstable, and therefore the source of greatest risk.
Assumptions are on an ABCD scale, where: A is always ‘good’ and D is always ‘bad’. This provides a meaningful assessment on each assumption. And notice that there is no ‘medium’! This is deliberate and forces users to opt for high or low, rather than take an easy ’middle’ option. This also guides the mitigation plans by indicating how best to attack the risk:
- Stabilise the underlying assumption or
- De-sensitise the project to the effects of the assumption
Snapshot ‘risk profiles’ make it easy to communicate risk management progress and trends with senior management.
Strategic Target Analysis
How can we avoid the timescales of the programme spinning out of control? Strategic Target Analysis (STA) is a process within ABCD that can define the timescale risk within a project from as early as the proposal stage. It works by adding a ‘quality’ dimension to the estimating process. Here, high quality estimates are based on relevant experience. You treat these differently from low quality estimates that are little more than guesses.
The output takes the form of a probability distribution diagram. Alongside it is a referenced set of assumptions that you manage to move the curve to the left and squeeze it. That is, you reduce the overruns and the uncertainty.
Similar processes are available to analyse cost and benefit risks.
Note that it is easy to confuse STA with Quantitative Schedule Risk Analysis (QSRA). This is increasingly used on large scale programmes and often gives very inaccurate results!
ASSURE Risk Toolkit
AssureTMis a powerful web-based tool that works with the ABCD data. Users can easily manage the data and produce reports, such as:
- Assumption/Risk Registers
- Risk profile ‘Bubble Diagrams’
The information is viewable through any browser. This makes for effective communication across your intranet or secure internet.
It allows all stakeholders to review each other’s assumptions online. In this way, risks that you could miss with a traditional risk management approach will become evident from the identification of inconsistent or contradicting assumptions.
Assure is designed to fully support the ABCD process. It makes the coordination of risk management across large programs significantly easier and far more effective.
Step 3: Choose and Implement Your Risk Management Toolset
Tool selection is a large task that is outside the scope of this article. And for many projects, you won’t need a formal risk management tool. Often, one of either of these will suffice:
- the tools built into your project planning software, or
- simple tools built with your existing office software
However, be aware of the limitations of a package like Excel in terms of standardisation, ease of use, and communication.
If your organization is buying in a risk management process or tool, then it may be most effective to get your vendor to do the training. First-hand training is always better than second-hand training by a less experienced person.
Make sure the toolset is live, tested, and available before the process training. The most effective approach s to blend together training of both process and tool .
Most importantly, make sure that the underlying process is sound. A tool-led solution without an effective underlying process will give you ‘garbage-in, garbage-out’.
Convince Your Team that the Process is Right
By now, I will assume you have won over senior management, and they are on your side. So, the next logical step is to convince the rest of your stakeholders that the process and toolset are right.
A good way to start it to organise a series of briefing sessions to cover the entire project team. Ideally a senior member of management will attend the meetings to champion your points. This will strengthen your request for people to use the tool as it should be.
Be sure to demonstrate how the process is in place to make the lives of your team easier and to improve visibility and control for your sponsor. Cover questions such as:
- Where is risk management in the project now?
- How will this (the process) be implemented)?
- What do you want from the audience?
- How will this benefit them individually?
For some projects, your introduction of the risk management process and tools will be the main business of your Risk Management Kick-off meeting.
Step 4: Start Risk Identification
With your project team and your sponsors behind you, now is the time to start identifying risks. You need to go out and capture risk data. Depending on time constraints and budget, it may be necessary to forgo interviews and focus instead on workshops but be clear that one-on-one interviews produce much better quality and structured data than workshops, and particularly when using assumption-based techniques.
Be as pro-active as possible when speaking with your team. They will be freshly trained and enthusiastic, but prone to mistakes. Concentrate on:
- Quality rather than quantity, and
- Specific rather than generic.
For example, it’s much better to identify the top ten risks clearly rather than capturing 100 risks roughly. Your main focus should always be clear, unambiguous communication, and to establish the right balance between too much and too little information.
Step 5: Set-up and Run Your First Risk Review Board
The Risk Review Board (RRB) is the focal point of your risk management process. The RRB needs to meet (at least) monthly, with the first two meetings establishing the process.
The purpose of the Risk Review Board is to oversee all project risks in a coherent manner. Consequently, it should consist of senior people who can make risk mitigation happen. These will be:
- Your Project or Program Sponsor
- The Project Manager
- The There is a lot to do when you start a new project. But one thing that can have a big effect on your ultimate success is how you approach risk management. Risk Owners
Your Risk Owners (ROs) are the senior people who take organizational responsibility for one or more risks. Their role is to fully understand each risk they own, and to ensure that team members form appropriate action plans, and put those plans to work.
Risk Action Managers
The people to whom an RO delegates the planning and management of a risk are the Risk Action Managers (RAMs). Risk Action Managers would not normally attend a RRB meeting. However, they could be Risk Owners for other risks.
For more on risk response strategies, see our article: ‘Risk Response Strategies: Full Roundup‘.
Note that the RO and RAM roles are different. For small projects, one person may take the RO and RAM role, or perhaps the Project Manager acts as risk Owner, allocating RAM roles to team members. In a somewhat larger project, perhaps Workstream Leaders would act as ROs, allocating RAM roles to their team members.
The RRB First Meeting
The first meeting will focus on reviewing risk data that you captured at Step 4:
- Understanding what the risks are
- Prioritizing them
- Agreeing Risk Owners and Risk Action Manager for each risk.
In addition, the chair will want to assess how well the meeting works, and consider improvements for next time.
Following the meeting, ROs will work with their RAMs to create a Risk Action Plan for each risk.
For more on understanding and prioritizing risks, see our article: ‘The Project Manager’s Guide to Simple Risk Analysis‘.
Step 6: Coach for Risk Action Planning
Risk action planning might sound obvious and straightforward – but it isn’t. It is essential to schedule time with each Risk Action Manager to go through the risks you have allocated to them. You are there to help them during the entire process, and to answer any questions. At this meeting, depending on their level of experience, you might work with them to:
- Demonstrate best-practice risk planning
- Coach them to find their own risk management solutions
This should not take too long. But, do make sure the Risk Owners and Risk Action Managers know what their responsibilities are.
Step 7: Begin a Second Round of Risk Identification
On a larger project, you may have a second round of workshops or interviews. Using the risks you have already captured as a baseline, your focus will be on two things:
- Cross communication of the assumptions/risks you captured previously
- Capturing new assumptions/risks that have emerged since the last cycle or that you missed in the last cycle
In this process, originators may close their own risks if they believe them to be now resolved. But they can offer no (formal) view on risks raised by others. They can add questions or clarifications in the form of notes, but the formal content and ratings are not for them to change.
Step 8: Run a Second Risk Review Board
Now, your risk process is entering the ‘ongoing’ phase. In this phase the Risk Review Board agenda shifts to reviews. Reviewing:
- New risk action plans and approving or rejecting
them Riskratings, based on the risk action plan status/progress and updating them
- New risks and agreeing ratings and allocating roles (as per the first RRB)
Perceptions here are very important. So, keep in mind that your sponsor will expect to see momentum building and the process becoming more efficient. You should schedule your Risk Review Board meetings so that you can attend all of them and so can your sponsor; especially in these early stages.
Step 9: Reflect
Now is the time to reflect. Good questions to ask include;
- ‘Where are we going?’
- ‘What went well?’
- ‘What could go even better if…?’
Take some time to reflect on what has gone well, and what has gone poorly. Critically review areas where you failed to meet expectations. For real continuous improvement, ask your senior colleagues or peers for an informal progress review. That way you will know where you truly stand. Be brave – you are still in your honeymoon period – just!
Step 10: Develop a Long-term Plan
Over the period of your risk management kick-off, you will have built a reputation as a
The journey you took will have depended on whether you had started from scratch, or were working with an experienced project team. The key is to now think about the direction you want risk management on the project, and possibly in the wider business, to head in.
Subsequent Risk Review Board Meetings
Subsequent Risk Review Boards will have a standard agenda that allows for;
- Monitoring progress against existing Risk Action Plans
- Allocating risk ratings, based on the risk action plan status, and updating them
- Reviewing new risk action plans and approving or rejecting them
- Assessing new risks and agreeing ratings and allocating roles (as per the first RRB)
Risk Management Culture
You may feel ambitious, and target a full risk management culture. In this case, do take a look at our article, ‘How to Build a Robust Project Risk Culture [8 Steps]’. The important thing is this… Once you have your plan: practise what you preach and identify the key assumptions that you are making and assess them for risk.
Monitoring Risk Management Performance
Finally, be as specific as possible about how you will know that you are succeeding. Set your project Key Performance Indicators (KPIs) and targets. In particular, financial KPIs that quantify major risks will be fundamental in helping to justify future investment in risk management. They will also hep you show off the performance of your team – and demonstrate risk management credentials as a highly capable project leader.
This article is based on Keith’s excellent book, in the Financial Times ‘Fast Track to Success’ series: Risk Management. Sadly, due to changes in ownership of the publisher, new print editions are not currently available. Second-hand copies are available (on Amazon etc), as are ebook versions (US|UK), which I highly recommend.
You may also like our articles: